.png?fit=max&auto=format&n=tsMQJyneJ1xquFUo&q=85&s=4d401cc03b547d99b6f75a6bd170c334){kind=spacer}
GDPR applies to any organization that processes personal data of individuals in the EU, including US-based companies with EU customers.
Who needs GDPR compliance?
Companies with EU customers
Any organization collecting or processing personal data from EU/EEA individuals — including website visitors, customers, and employees.
Data processors
Third-party service providers handling personal data on behalf of other organizations (SaaS platforms, cloud providers, analytics tools).
Key GDPR principles
Lawfulness & Transparency
Data must be processed lawfully, fairly, and transparently.
Purpose Limitation
Collected only for specified, legitimate purposes.
Data Minimization
Only collect what is necessary.
Accuracy
Keep personal data accurate and up to date.
Storage Limitation
Do not keep data longer than necessary.
Security
Protect data with appropriate technical and organizational measures.
Key requirements
| Requirement | Description |
|---|---|
| Processing Records | Maintain records of all processing activities (Article 30) |
| Impact Assessments | Assess risks of high-impact processing (Article 35) |
| Data Subject Rights | Enable access, rectification, erasure, portability, objection |
| Breach Notification | Report breaches to authorities within 72 hours (Article 33) |
| Data Protection Officer | Appoint a DPO for certain types of processing |
| Cross-border Transfers | Ensure adequate protections for international transfers |
How DSALTA helps
- Privacy-specific controls mapped to GDPR articles
- Data processing record templates for Article 30 compliance
- AI-generated privacy policies customizable to your needs
- Vendor risk management to assess processor compliance
- Cross-framework mapping — overlaps with ISO 27001, SOC 2, and HIPAA
Frequently asked questions
Does GDPR apply to my US-based company?
Does GDPR apply to my US-based company?
Yes, if you collect or process personal data of EU residents — including website visitors, customers, or employees in the EU.
What is a DPO?
What is a DPO?
A Data Protection Officer oversees data protection strategy and compliance. Required for public authorities and organizations conducting large-scale systematic monitoring.
How does GDPR overlap with other frameworks?
How does GDPR overlap with other frameworks?
GDPR shares significant overlap with ISO 27001 (security controls), SOC 2 (privacy criteria), HIPAA (data protection), and NIS 2 (cybersecurity). DSALTA maps these overlaps automatically.